cyberneticlibrary
← library

Analyze detection coverage rules

detection-coverage-analysisskillsetup L3442
MHaggis/Security-Detections-MCP
What it does

Analyze security detection coverage by Sigma/Splunk/Elastic across MITRE tactics

Best for

Quickly finding detection gaps in ransomware/APT/persistence tactics without token waste.

Inputs
  • · source_type (elastic/splunk/sigma)
  • · tactic or threat_profile or technique_id
Outputs
  • · coverage %, top techniques, gaps
  • · Navigator JSON layer
  • · technique IDs by tactic
Requires
  • · Sigma/Splunk/Elastic detection rules
  • · MITRE ATT&CK framework
  • · Navigator
Preconditions
  • · Detection rules indexed
  • · MITRE tactic mapping complete
Failure modes
  • · Large response burns tokens
  • · Threat profile incomplete
  • · Navigator JSON invalid
Trust signals
  • · Token comparison (50KB → 2KB)
  • · 6 threat profiles predefined
  • · analyze_coverage() returns ~2KB